Initial commit

.gitignore

@@ -0,0 +1,33 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+*~
+.DS_Store
+.vscode

iam.tf

@@ -0,0 +1,68 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  principal_arn = var.principal_arn != null ? var.principal_arn : data.aws_caller_identity.current.arn
+}
+
+resource "aws_iam_role" "iam_role" {
+  name = "${local.namespace}-tf-assume-role"
+
+  assume_role_policy = <<-EOF
+         {
+           "Version": "2012-10-17",
+           "Statement": [
+             {
+               "Action": "sts:AssumeRole",
+               "Principal": {
+                   "AWS": "${local.principal_arn}"
+               },
+               "Effect": "Allow"
+             }
+           ]
+         }
+       EOF
+
+  tags = {
+    ResourceGroup = local.namespace
+  }
+}
+
+data "aws_iam_policy_document" "policy_doc" {
+  statement {
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      aws_s3_bucket.s3_bucket.arn
+    ]
+  }
+
+  statement {
+    actions = ["s3:GetObject", "s3:PutObject"]
+
+    resources = [
+      "${aws_s3_bucket.s3_bucket.arn}/*",
+    ]
+  }
+
+  statement {
+    actions = [
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:DeleteItem"
+    ]
+    resources = [aws_dynamodb_table.dynamodb_table.arn]
+  }
+}
+
+resource "aws_iam_policy" "iam_policy" {
+  name   = "${local.namespace}-tf-policy"
+  path   = "/"
+  policy = data.aws_iam_policy_document.policy_doc.json
+}
+
+resource "aws_iam_role_policy_attachment" "policy_attach" {
+  role       = aws_iam_role.iam_role.name
+  policy_arn = aws_iam_policy.iam_policy.arn
+}

main.tf

@@ -0,0 +1,72 @@
+data "aws_region" "current" {}
+
+resource "random_string" "rand" {
+  length  = 24
+  special = false
+  upper   = false
+}
+
+locals {
+  namespace = substr(join("-", [var.namespace, random_string.rand.result]), 0, 24)
+}
+
+resource "aws_resourcegroups_group" "resourcegroups_group" {
+  name = "${local.namespace}-group"
+
+  resource_query {
+    query = <<-JSON
+{
+  "ResourceTypeFilters": [
+    "AWS::AllSupported"
+  ],
+  "TagFilters": [
+    {
+      "Key": "ResourceGroup",
+      "Values": ["${local.namespace}"]
+    }
+  ]
+}
+  JSON
+  }
+}
+
+resource "aws_kms_key" "kms_key" {
+  tags = {
+    ResourceGroup = local.namespace
+  }
+}
+
+resource "aws_s3_bucket" "s3_bucket" {
+  bucket = "${local.namespace}-state-bucket"
+  force_destroy = var.force_destroy_state
+
+  versioning {
+    enabled = true
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm     = "aws:kms"
+        kms_master_key_id = aws_kms_key.kms_key.arn
+      }
+    }
+  }
+
+  tags = {
+    ResourceGroup = local.namespace
+  }
+}
+
+resource "aws_dynamodb_table" "dynamodb_table" {
+  name         = "${local.namespace}-state-lock"
+  hash_key     = "LockID"
+  billing_mode = "PAY_PER_REQUEST"
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+  tags = {
+    ResourceGroup = local.namespace
+  }
+}

output.tf

@@ -0,0 +1,8 @@
+output "config" {
+  value = {
+    bucket         = aws_s3_bucket.s3_bucket.bucket
+    region         = data.aws_region.current.name
+    role_arn       = aws_iam_role.iam_role.arn
+    dynamodb_table = aws_dynamodb_table.dynamodb_table.name
+  }
+}

variables.tf

@@ -0,0 +1,17 @@
+variable "namespace" {
+  description = "The project namespace to use for unique resource naming"
+  default     = "s3backend"
+  type        = string
+}
+
+variable "principal_arn" {
+  description = "AWS principal arn allowed to assume the IAM role"
+  default     = null
+  type        = string
+}
+
+variable "force_destroy_state" {
+  description = "Force destroy the s3 bucket containing state files?"
+  default     = true
+  type        = bool
+}

versions.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_version = "~> 0.12"
+  required_providers {
+    aws    = "~> 2.19"
+    random = "~> 2.1"
+  }
+}